Methods for protecting a smart card

ABSTRACT

A method for protecting an electronic entity such as a smart card, against simple/differential power analysis, by integrating a current accumulator in said entity. The current accumulator ( 19 ) powers a processor (P) via a multiplexer ( 20 ) when the processor is loaded to execute so-called sensitive operations.

[0001] The invention relates to a method of protecting an electronicentity including a microcircuit, in particular a microcircuit card withencrypted access, said protection being aimed more particularly at formsof attack known as “current analysis”. The invention also relates to anelectronic entity including a microcircuit, in particular a microcircuitcard with encrypted access, equipped with means for obtaining theprotection offered by said method.

[0002] The person skilled in the art knows that some electronic entitieswith encrypted access, in particular microcircuit cards, are vulnerableto certain forms of attack based on analyzing certain parameters duringa phase of their operation. It is said that information can “leak” froma computation carried out in said electronic entity (the card),typically the execution of a cryptographic protocol instigated by afraudster in illegal possession of the card. The parameters analyzedduring the execution of this kind of protocol can typically becomputation time differences or differences in electromagnetic radiationduring execution of the computation, but above all are the currentconsumed by the electronic entity itself during the execution of acryptographic protocol.

[0003] Thus a standard attack consists in having the electronic entitythat has fallen into the hands of the fraudster execute a certain numberof cryptographic protocols based on random messages, which are thereforebound to fail, but cause the entity (the microcircuit card) to executeeach time a cryptographic algorithm, for example the DES (DATAENCRYPTION STANDARD) algorithm, and analyzing the current consumedduring each execution of said DES algorithm. The object of this attackis to discover the secret key of said entity. The DES algorithm is verywidely used at present in the field of bank cards, SIM (GSM) cards, payper view television access cards, and access control cards.

[0004] In the case of fraud, i.e. when the fraudster has the card and isseeking to determine the key, the fraudster can connect said card to areader by means of which he can transmit messages to it and connect itto means for recording the current consumed by the microcircuit duringthe execution of the operations that it carries out. The fraudsterinstigates multiple execution of the DES algorithm and the currentconsumption is detected and memorized each time. From all of this data,and in particular from the current consumption measurements, it ispossible to mount attacks whose principle is well known. These SPA-DPA(Simple Power Analysis/Differential Power Analysis) attacks canreconstitute the key of the electronic entity.

[0005] In a paper presented on 17 Aug. 2000 at the CHES 2000 conferenceand published by SPRINGER under the No. 1965, the use of a batteryintegrated into the electronic entity to supply power to themicrocircuit is envisaged. However, the author of the paper finishes bysetting aside this solution, deeming it somewhat impractical anddifficult to put into practice. The invention solves the problemsreferred to by the author of this paper.

[0006] To be more precise, the invention provides a method of protectinga microcircuit electronic entity such as a microcircuit card againstcurrent analysis attack, of the type consisting in associating with saidmicrocircuit an energy store placed inside said entity, characterized inthat, during an exchange of information in which said entity is coupledto a server adapted to provide it with an electrical power supply, atleast a portion of said microcircuit is supplied with electrical powerprovided by said energy store during the execution of predeterminedoperations by said at least one portion of said microcircuit, saidserver supplying electrical power to said microcircuit during theexecution of other operations.

[0007] The aforementioned energy store can be a battery, preferably arechargeable battery. In this case, the battery can be charged on eachtransaction, i.e. each time that the electronic entity is coupled to aserver capable of supplying to it the necessary electrical energy. Themicrocircuit is preferably designed and programmed to command chargingof the battery outside time periods in which it is being used to supplypower to the microcircuit or the portion of the microcircuit responsiblefor executing said predetermined operations. Instead of this, or inaddition to this, said battery can be charged with solar energy by meansof a photoelectric cell integrated into the electronic entity. In thecurrent state of the art it is possible to envisage integrating into thethickness of a card at least one battery or rechargeable battery andalso a photoelectric cell.

[0008] The aforementioned predetermined operations during which themicrocircuit or a portion thereof is supplied with power internally andnot by the server to which the electronic entity is connected (whichcould in fact be a device designed to break the secret codes of thecard) are all exchanges of “sensitive” information, during whichconfidential data is exchanged. These operations are, for example,cryptographic algorithms during which keys are used or exchanged, theprocedure for verifying the PIN, etc.

[0009] Alternatively, said predetermined operations can be executed by acoprocessor supplied with power by said battery while other operationsare executed by a main processor supplied with power by said server.Another solution is to switch a main processor so that it is suppliedwith power by said battery while it is executing said predetermined“sensitive” operations, during which time periods said server suppliespower to a decoy circuit, which continues to carry out operations andtherefore to simulate consumption of current. However, the simulatedcurrent consumption is independent of the sensitive predeterminedoperations that are being executed at that time. This makes itimpossible to recover sensitive data such as cryptographic keys, thePIN, etc. from a recording of the power supply current. Because thenecessary current is being supplied by a battery or a rechargeablebattery situated inside the electronic entity including themicrocircuit, no information of interest relating to the operatingstatus of the processor can “leak” out of the card, via the analysis ofthe current supplied by the server.

[0010] Even if the electronic entity is equipped with a simplenon-rechargeable battery, the service life thereof is relatively longsince said battery is used only to execute small program portions andnot for all of the operations constituting a transaction between saidelectronic entity and the server. The use of a decoy or a coprocessorprevents an attacker from being able to determine the times at which thesensitive portions of the program are executed since, during those timeintervals, the microcircuit continues to carry out operations, consumingcurrent supplied by the external server.

[0011] The invention also provides an encrypted access electronic entitycomprising a microcircuit and means for coupling the latter to a serveritself provided with electrical power supply means for supplying powerto said microcircuit via said coupling means, characterized in that itfurther includes an integrated energy store and selector means adaptedto switch the power supply of at least a portion of said microcircuit tosaid energy store when predetermined operations are being executed bysaid at least one portion of said microcircuit.

[0012] In one embodiment, said selector means include a multiplexer orthe like controlled by a processor of said microcircuit. The multiplexerhas two inputs, one connected to a contact terminal for the connectionto the electrical power supply means of said server and the otherconnected to said energy store. An output of said multiplexer isconnected to an electrical power supply line of the processor. Theprocessor commands the multiplexer to make the selection between theelectrical power supply means of said server and said energy storeintegrated into said electronic entity.

[0013] The aforementioned contact terminal is one of the electricalcontact regions that are usually found on the surface of a microcircuitcard of the bank card or access control card type. However, some cardscan be equipped with an antenna adapted to be coupled to an antennasituated in the server. The antenna system is used both for exchanginginformation and for supplying sufficient electrical energy to power themicrocircuit. The invention also applies to this type of card, and inthis case one of the inputs of the multiplexer is connected to a powersupply circuit receiving its energy from the antenna integrated into theelectronic entity (the card).

[0014] The invention will be better understood and other advantages ofthe invention will become more clearly apparent in the light of thefollowing description of embodiments of an electronic entity protectedby implementing the concept explained hereinabove, which description isgiven by way of example only and with reference to the appendeddrawings, in which:

[0015]FIG. 1 is a diagrammatic view in section of a microcircuit cardconnected to a server and equipped with the improvement according to theinvention;

[0016]FIG. 2 is a block diagram of a first embodiment of an electronicentity according to the invention;

[0017]FIG. 3 is a similar block diagram, showing another embodiment; and

[0018]FIG. 4 is another block diagram, showing a further embodiment.

[0019] Referring more particularly to FIG. 1, there is shown anelectronic entity in the form of a microcircuit card 11 equipped withthe improvement according to the invention and shown connected to aserver 12 including an electrical power supply adapted to supply theelectrical energy 13 necessary for the microcircuit housed in a cavityin the card to function. In the conventional way, the microcircuit 15 isaccessible from the outside via a number of metal connection regionsflush with the surface of the card. One of these regions constitutes acontact terminal 16 a connected to one pole of the power supply 13 via arubbing contact member. Another connection region constitutes a contactterminal 16 b connected to the other pole of the power supply (connectedto ground). The other connection regions enable exchange of informationbetween the microcircuit and the server.

[0020] According to a noteworthy feature of the invention, a battery ora rechargeable battery 19 is accommodated within the thickness of thecard. Moreover, the microcircuit includes selector means, for exampleessentially constituted of a multiplexer 20 or the like. The multiplexeris connected both to the contact terminal 16 a intended to be connectedto the electrical power supply of the server 12 and to one pole of thebattery 19 housed within the thickness of the card. The other pole ofthe battery is connected to ground.

[0021]FIG. 2 shows in more detail the general arrangement of themicrocircuit 15 and its connection to one pole of the battery 19. In theFIG. 2 example, the microcircuit essentially consists of a processor P,a memory unit M, and a multiplexer 20 with two inputs and one output. InFIGS. 2 to 4, power supply electrical connections are shown incontinuous line and control or information exchange connections areshown in dashed line. One input of the multiplexer is connected to thecontact terminal 16 a and the other input is connected to one pole ofthe battery 19. The multiplexer constitutes selector means adapted toswitch the power supply of at least one portion of the microcircuit 15,in this instance the whole of the processor P, to the integral battery19 when predetermined operations are being executed by the processor.The predetermined operations in question are the sensitive operationsdefined hereinabove. The output of the multiplexer is connected to anelectrical power supply line 22 of the processor. Moreover, themultiplexer (20) is controlled by the processor P (control connection23) to select either the electrical power supply 13 of the server or thebattery. In the FIG. 1 example, the battery 19 can be a simplenon-rechargeable battery. The long service life of the battery is theresult of the fact that it supplies power to the processor for only asmall portion of the operating time of the card, i.e. when the latter iseffecting sensitive operations. For all other operations, the processoris supplied with power by the power supply 13 of the server, via thecontact terminal 16 a and the multiplexer 20, which is set accordinglyby a control signal applied via the control connection 23. In the FIG. 3embodiment, items analogous to those of FIG. 2 are identified by thesame reference numbers. In this variant, the microcircuit furtherincludes a circuit 25 for charging the battery 19, which isrechargeable. The charging circuit 25 is connected between the contactterminal 16 a and the battery 19. It is commanded by the processor P torecharge the battery when the processor is being supplied with power viathe server, i.e. by the power supply 13. Advantageously, although thisis not obligatory, the card also incorporates a photoelectric cell 27connected to charge the battery 19. Here this photoelectric cell isconnected to the charging circuit 25, which regulates the current, butit is not obligatory for selection of the photoelectric cell 27 to becontrolled by the processor. The photoelectric cell can be connected tocharge the battery at least partially when it receives sufficientillumination.

[0022] According to another advantageous feature, the microcircuit 15,and more particularly the microprocessor P, can include a decoy circuit29 that is directly connected to the server coupling means, i.e. to theconnection terminal 16 a. This decoy circuit is commanded to executeoperations when the remainder of the microcircuit or at least theportion thereof which executes said predetermined operations is beingsupplied with power by the battery 19.

[0023] In a further embodiment, shown in FIG. 4, the microcircuit 15includes a main processor P₀ and a coprocessor P₁. The latter isdedicated to the execution of said predetermined operations. Moreover,in this example, the multiplexer 20 a has two inputs and two outputs,forming a kind of double-pole switch, one of the switch poles being openwhen the other is closed, and vice-versa. The contact terminal 16 a isconnected to one of the inputs and the corresponding output is connectedto the electrical power supply line 22 a of the main processor. One ofthe terminals of the battery 19 is connected to the other input and thecorresponding output is connected to the power supply line 22 b of thecoprocessor P₁. The main processor and the coprocessor are associatedwith a memory unit M. One of the two processors, for example the mainprocessor, controls the selector means via a control connection 23. Thusthe coprocessor is supplied with power only by the battery via theselector means.

[0024] Simplifying the FIG. 3 embodiment by connecting the power supplyline 22 a of the processor P₀ directly to the contact terminal 16 a canbe envisaged. The multiplexer 20 a is then equivalent to a simple switchcontrolled by the processor P₀. In this case, it is advantageous for theprocessor P₀ to continue to execute operations (act as a decoy) when thecoprocessor P₁ is in service.

1. A method of protecting a microcircuit electronic entity such as amicrocircuit card against current analysis attack, of the typeconsisting in associating with said microcircuit (15) an energy store(19) placed inside said entity, characterized in that, during anexchange of information in which said entity is coupled to a server (12)adapted to provide it with an electrical power supply (13), at least aportion of said microcircuit is supplied with electrical power providedby said energy store during the execution of predetermined operations bysaid at least one portion of said microcircuit, said server supplyingelectrical power to said microcircuit during the execution of otheroperations.
 2. A method according to claim 1, characterized in that saidenergy store (19) is rechargeable and is charged with electrical energysupplied by said server (13) when said electronic entity is coupledthereto.
 3. A method according to claim 2, characterized in that thecharging (25) of said battery (19) is commanded outside time periods inwhich said battery is used to supply power to at least one portion ofsaid microcircuit.
 4. A method according to claim 2 or claim 3,characterized in that said battery is at least partly charged withelectrical energy generated by solar means by means of a photoelectriccell (27) integrated into said electronic entity.
 5. A method accordingto any one of claims 1 to 4, characterized in that said predeterminedoperations are executed by a coprocessor (P₁) supplied with power bysaid battery (19).
 6. A method according to any one of claims 1 to 4,characterized in that a processor (P) is switched so that it is suppliedwith power by said battery (19) when it is executing said predeterminedoperations and, during said time periods, said server supplies power toa decoy circuit (29) which continues to effect operations.
 7. Anencrypted access electronic entity comprising a microcircuit (15) andmeans (16 a, 16 b) for coupling the latter to a server (12) itselfprovided with electrical power supply means (13) for supplying power tosaid microcircuit via said coupling means, characterized in that itfurther includes an integrated energy store (19) and selector means (20)adapted to switch the power supply of at least a portion of saidmicrocircuit to said energy store when predetermined operations arebeing executed by said at least one portion of said microcircuit.
 8. Anelectronic entity according to claim 7, characterized in that saidselector means include a multiplexer (20) or the like controlled by aprocessor (P) of said microcircuit, said multiplexer has two inputs, oneof which is connected to a contact terminal (16 a) for the connection tothe electrical power supply means of said server and the other of whichis connected to said energy store (19), an output of said multiplexer isconnected to an electrical power supply line (22) of said processor, andsaid multiplexer is commanded by said processor to effect said selectionbetween the electrical power supply means of said server and said energystore.
 9. An electronic entity according to claim 8, characterized inthat a circuit (25) for charging said energy store is connected betweensaid contact terminal (16 a) and said energy store (19) and saidcharging circuit is commanded by said processor (P) to charge saidenergy store when said at least one portion of said microcircuit isbeing supplied with power via said server.
 10. An electronic entityaccording to claim 8, characterized in that it includes a photoelectriccell (27) connected to charge said energy store.
 11. An electronicentity according to claim 9 in conjunction with claim 10, characterizedin that said photoelectric cell (27) is connected to said chargingcircuit (25).
 12. An electronic entity according to claim 7,characterized in that said microcircuit includes a main processor (P₀)and a coprocessor (P₁), the latter being dedicated to execution of saidpredetermined operations, and said coprocessor (P₁) is supplied withpower by said energy store (19) via said selector means.
 13. Anelectronic entity according to claim 7, characterized in that saidmicrocircuit includes a decoy circuit (29) connected to said couplingmeans to be supplied with power directly by said server and said decoycircuit is commanded to execute operations when said at least oneportion of said microcircuit is being supplied with power by said energystore.